Using etoken for SSL Web Authentication. SSL V3.0 Overview

Size: px

Start display at page:

Download "Using etoken for SSL Web Authentication. SSL V3.0 Overview"

Olivia Higgins
8 years ago
Views:

1 Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents eavesdropping, tampering or message forgery. 1

2 Why is it Secure? The Handshake protocol allows the server and client - 1. To authenticate each other 2. To negotiate an encryption algorithm and cryptographic keys, before sending or receiving the first byte of data. SSL Connection Security Properties The connection is private. A secret key is defined after the initial handshake. The peer s identity is authenticated using asymmetric cryptography (RSA). Symmetric cryptography is used for DATA encryption (DES, RC4). Message integrity check is done using secure hash functions (MD5, SHA). 2

3 Using etoken with SSL Client Authentication 1. Install etoken PKI client on client s machine 2. Issue a server certificate for server authentication 3. Store a certificate on the etoken for client authentication 4. Install on all computers the Root certificate of the CA that issues the users certificates 5. Configure the SSL options on the IIS for authenticating the client etoken solution supports standard web browsers using SSL v3 PKI authentication and signing. System Requirements Internet Explorer 5.0 and above Netscape 4.6 and above etoken R2 or PRO 3

4 Server Authentication 1. User launches a secure web page - 2. Client sends a random challenge 786hgr Server signs the challenge using the private key 4. Server sends response: signed challenge + server public key + server certificate 5. Client validates the signature using the server s public key 6. Client identifies the server by the server s certificate 7. Client verifies the validity of the certificate 8. Server authenticated 9. Client encrypts a shared session key for encrypted communication during this session. Client Authentication 1. Client requests access to a secure web page 2. Client authenticates the server (as described) 3. Server sends random challenge 786hgr456?>:$ 4. User logs in to etoken with etoken password 5. Client signs the challenge using the private key stored on the user s etoken 6. Client sends response: signed challenge + client public key + client certificate 7. Server validates the signature using the client s public key 8. Server identifies the client by the client s certificate and verifies the client s access rights 9. Client is authenticated - Server allows access. 10. Server & client can agree on a session key for encrypted communication 4

5 User Authentication Using etoken Note: Prior to the steps below, the IIS server must have a Valid Certificate in order to start SSL communication with the clients. 1. Click on Start and scroll up to Programs 2. Scroll over to Administrative Tools and point to Internet Services Manager 3. Double click on the Server name, select and double click the Default Web Site (the secure site) 4. On the right window pane, right-click the html file of the secured web site and launch its Properties 5

6 5. Click on File Security tab and click Edit in Secure Communication 6. Check Require Secured Channel (SSL) and Require Client Certificate 6

7 You can specify that only holders of certificates issued by specified CAs are allowed to access, as shown in the following example: Using etoken for Authentication 1. Go to the secure web page on the web server. 2. Click Yes if a Security Alert Dialog box appears 3. Select the Client Certificate that you want to use in the Client Authentication box and click OK. 4. Enter the etoken password when the etoken dialog box appears, in order to enable authentication using the certificate stored on the etoken. 5. The Secure tunnel is established. 7

8 SSL vs. DES Authentication Basing the access control on SSL is based on standard procedure, thus easier to implement. A user authentication method, relying on a users & secrets database on the server, is more complicated and requires constant maintenance. No server side modification is needed. Setting up the server for SSL authentication is done once at the initial setup. Using the etoken PRO for Challenge-response authentication is more secure. SSL vs. DES Authentication (continued ) Using SSL v3 is platform and browser independent. SSL authentication is used by banks and is common in business environments. Giving support to an SSL based authentication system and maintaining the system is relatively not complex. Disadvantage: initial investment of the customer in etokens is more expensive when using etoken PRO instead of R2. 8

Using etoken for Securing E-mails Using Outlook and Outlook Express

Using etoken for Securing E-mails Using Outlook and Outlook Express Lesson 15 April 2004 etoken Certification Course Securing Email Using Certificates Unprotected emails can be easily read and/or altered